Privacy vs. Anonymity

By
Fred Leeflang
January 15, 2010Posted in: idm
email

As I’m writing more on identity management and thinking about the subject I am starting to understand an important difference. In the debate on internet privacy, people frequently seem to confuse privacy for anonymity. In my article on identity keys I defined the following:

  • Identity Key (IK): A well defined subset of IA’s taken from the identity I, used to authenticate ourselves in various situations.

It is important to realize that the owner of such an identity key is, well, the owner! As it goes with ownerships, the owner gets to decide what to do with it. So people can choose to use their identity key or not. So how does this fit in with the difference between privacy and anonymity?

Keys

A key is usually used to unlock a lock. It is no different with identity keys. A lock is typically used to safeguard something that has value. Value is a relative measure in most if not all cases. Usually a key should have a similar value to the holder as the value of that which is locked in. To the author of this article the contents of this article may have a high value while to others it may have absolutely no value and they don’t want to keep track of yet another key. Key chains can get rather heavy and many people do not like to walk around with heavy rattling key chains, never mind trying to find the right key constantly for each lock.

At some point, and probably still, HTTP cookies were considered keys. Privacy — or anonymity — fundamentalists argued, and probably still argue, that such an HTTP cookie should only be sent with permission of a person browsing the web. Most browsers nowadays have settings that allow people to ask confirmation for setting a cookie. Most people disable this option because they found out they need very very big key chains on the internet, particularly because every website has it’s own method of making such a key.

What if we could help people carry around a key chain of:

  • nearly infinite size
  • infinitely light weight and,
  • the opportunity to instantly grab the right key for every lock

We could also define a broad range of key values, the keys of lesser value could be treated in an automated way while keys of a higher value could be set to manual use. Let’s say a webmaster would want to know how often a certain person returns to his website. He doesn’t care about the real name, not the passport number, not the birthdate etc. just the fact that it’s the same person who visited his site yesterday. The feedback the webmaster would get from this would be ‘how interesting is my website and does it make people want to come back?’. So let’s say that we define a key of low value that consists of the Identity Attribute UUID only, where UUID is an absolutely unique identifier. The same UUID can come from multiple IP addresses; perhaps the person viewing the website reads from home, from work, from his smartphone or through a wireless network so without a UUID there is absolutely no feedback for the webmaster on how he’s doing.

Now let’s say your identity manager gives you the choice to set ‘Allow website to ask me for my UUID without my intervention’. All that you give away with this is an anonymous and unique number. There is still the ‘danger’ of deanonymizing; The webmaster could go to your ISP and with your UUID and IP number in hand ask the ISP who you are. Should the ISP give this information, the identity attributes the ISP has on you can now be combined with your UUID.

ISP

In the above diagram we see some necessary attributes like your address that the ISP needs to know to hook up your service, some implied attributes that you give them like your bank account number and your name when you pay them for their service and some imposed IP address attribute. Only by the linkage (double arrow) of two identical fields, in this case the IP address, at the combining parties could the website conceivably get a hold of all the attributes your ISP holds on you. Interestingly enough the linking pin that allows linkage is the imposed attribute, one that’s not in your possession or control. I have not done any research into this yet but my suspicion is that all linkage may be related to impose attributes.

Privacy

Using the above on keys, we can come to a reasonably meaningful definition of privacy.

  • Privacy is freedom of choice

As the owner of your own identity attributes you get to choose which identity attributes you want to build an identity key of a specific value with but imposed attributes are always a part of your key. You get to judge ‘what is the value of what I want’ and decide whether the value of the key you’re asked to give is equivalent. By deciding to use a key you also indicate that whatever it is you choose to unlock has more than zero-value to you or you choose to unlock it’s value through other means. These other means may be the exchange of any other valuables like cash, services, goods etc.

Anonymity

A lot of people seem to believe that privacy in the context of the internet means that no internet services should be allowed to ask for any key. This is called anonimity. Essentially it means you do not want to use a key, either because the key management is too tedious or you feel that what you want to do deserves no lock to begin with. I stop short of saying ‘and therefore has no value to you’ because this isn’t always the case; we do not expect a beautiful piece of nature to ask us for our identity before being able to look at it, but we do acknowledge it’s value. This is also because some entities cannot ask us for our identities and even if they could they probably wouldn’t.

Like I said before in the chapter on privacy, there are situations where something of value can be unlocked through other means than by identifying yourself. In fact the majority of transactions in the offline world do not require identification in any way or identification is downright undesirable:

  • When buying groceries in the supermarket, more and more often people give away an important identity attribute without thinking about it. ATM passes are a convenient and quick way to pay for the groceries but they make us highly trackable. Most people do not mind this because they feel the expedience and convenience outweighs the trackability.
  • While, debatably, we give away some identity attributes when buying a CD in a music shop (our hair color, eye color, height, etc.) the primary way of returning value for the CD is simply cash. Our identity is not relevant here. A camera to record our transactions would be considered annoying by most, unacceptable by some.
  • When visiting a sexclub, we would give away similar identity attributes as when buying a CD. Typically it will be in a dimly lit environment since visitors do not want to be recognized. The primary way of returning value for the service is simply cash. Our identity is relevant here mostly to ourselves; we do not want it to be common knowledge. A camera to record our transactions would be considered totally unacceptable.

So broadly stating, we could say that not only equal value changes hands in a transaction but also:

  • The nature of the valuables changing hands needs to have opposite similarity.

As we saw in the previous examples, groceries, to most people, have a relatively low privacy component to them. This lowers the barrier for people to disclose more information about themselves as, broadly speaking, ‘who cares what groceries I buy?’. Buying CD’s of a particular artist or band could give away more information about personal preference, it is less of a commodity in some ways, so some people may subconsciously decide to pay cash, thus returning less private information in return. Services rendered by a prostitute would be considered very personal, which is why frequently we don’t want to return private information at all in return.

Network Neutrality

In the context of the above I kept thinking about network neutrality. Quoting from wikipedia:

Network neutrality (also net neutrality, Internet neutrality) is a principle proposed for user access networks participating in the Internet that advocates no restrictions on content, sites, or platforms, on the kinds of equipment that may be attached, and on the modes of communication allowed, as well as communication that is not unreasonably degraded by other traffic.

Most of these are all under the direct control of your ISP as they are mostly technical aspects. Some however may be under control of core network elements which could, for example, lower the bandwidth based on whether you’re browsing Usenet, downloading through P2P etc.

A degradation of traffic caused by other traffic however is often a direct result of things like downloading movies and music and using inordinate amounts of bandwidth for that by your neighbor. I’m curious to find out:

People tend to believe that when they get ’60Mbps download speed for $50/month’ that they get a guarantee that they always get that download speed. In reality this is hardly ever true and it’s all contained in the fine print. Most ISP’s use what’s called an overbooking factor. Let’s say an ISP sells you 60Mbps with an overbooking factor of 5. Let’s say all your 9 neighbors have internet through the same provider. The ISP would then buy 10 x 60 = 600 Mbps right? Wrong! They would buy 600 / 5 = 120Mbps. If all your neighbors would be downloading like mad, completely stuffing their whole connection, they would actually get 120/10 = 12Mbps. ISP’s will tell  you what the overbooking factor is but nobody really understands it and the ISP can always blame it on ‘the weakest link’ in the internet which is typically not under their control. Either way, if your 9 neighbors are unemployed and constantly downloading movies you will at some point get dissatisfied with the ISP’s service and claim that they don’t give you what they told you they’d give while in reality they do. If your ISP wanted to guarantee you 60Mbps they would indeed have to buy 600Mbps in bandwidth and pay 5 times as much, either lowering their profit margin or charging you for it, making your internet connectivity go to $250 a month.

But wait… there’s not just enthusiastic downloaders. There’s also people who’s computers have been hacked and which are constantly pushing out spam email, running as a node in a botnet, participating in botnet attacks etc. etc. or bad use of the internet. While you could conceivably muster up some sympathy for the poor bloke being at home without a job and wanting to watch some movies, none of the 10 ISP customers is going to be happy now, only the spammers that have taken over your computer! And it trickles down to all the core routers on the internet that have to route, and get congested with, all of this extra an probably unwanted traffic.

This probably unwanted traffic can only exist by the virtue of anonymity.

What it means to IdM

Just like in the offline examples given in the chapter on anonimity, where there are valuables containing a relatively high privacy component, there are also valuables in the online world that contain relatively high privacy components:

  • Most people won’t object to return considerable privacy aspects about themselves when buying, for example, clothes online.
  • More people will object to giving personal information when looking at online pornography.
  • Most people would strongly object to giving out personal information when downloading copyrighted movies or music.

While the above examples, as well as the examples in the offline world, are often strongly personal, statistics could be kept on the privacy value of the valuables out on the internet. We’ve talked in an earlier article about the IAIV and IAEV; similar values could be attached to every entity.

Here are other articles in the Identity Management series:

Tags: , ,

About Fred Leeflang

Hoi! Ik ben de website beheerder van de Forza website.